Hacking Team Leak Leads to Discovery of Silverlight Zero-Day

One of the vulnerabilities patched by Microsoft on Tuesday with the first round of security bulletins for 2016 was a Silverlight zero-day which Kaspersky Lab identified in November as a result of an investigation into Hacking Team’s exploits.

The Silverlight flaw, identified as CVE-2016-0034, was patched with the MS16-006 critical bulletin. According to Microsoft, the remote code execution vulnerability can be exploited by an attacker via a website set up to host a specially crafted Silverlight application.

If an attacker can get a user to visit the malicious website and the exploit is successful, the attacker can obtain the same permissions as the victim. If the victim has administrative privileges, the attacker can take complete control of the vulnerable system, Microsoft said.

The story of how Kaspersky Lab discovered the Silverlight zero-day starts in July 2015, shortly after a hacker leaked hundreds of gigabytes of data, including exploits for zero-day vulnerabilities, from the systems of controversial Italy-based spyware maker Hacking Team.

Among the more than one million emails published by WikiLeaks after the breach, Ars Technica discovered communications between a then 33-year-old Russian exploit developer named Vitaliy Toropov and Hacking Team.

In 2013, Toropov sold an Adobe Flash Player exploit to Hacking Team for $45,000 and also offered to sell a Silverlight exploit that he claimed was written two and a half years prior and had still not been discovered. It’s unclear if Hacking Team acquired this Silverlight exploit from the hacker.

This mysterious Silverlight exploit caught the attention of Kaspersky Lab researchers who started analyzing Toropov’s exploits. The Russian hacker had published details and exploits for many of the vulnerabilities he identified, including a Silverlight memory disclosure issue found in 2013.

Since the description of this Silverlight bug was also accompanied by a proof-of-concept written by Toropov, Kaspersky researchers created a YARA rule designed to detect specific strings taken from a DLL file that implemented the exploit.

YARA is a tool that allows researchers to identify and classify malware based on textual or binary patterns that are described in what are known as YARA rules. Security firms often use YARA to identify and track threats, including APT actors.

The YARA rule written by Kaspersky didn’t have any results until November 25, when a sample matching the description of the 2013 Silverlight exploit published by Toropov was detected on a user’s machine. Another sample of the exploit was uploaded later that day from Laos to a multiscanner service.

After analyzing the file, which had been compiled in July 21, 2015, shortly after the Hacking Team breach came to light, Kaspersky researchers determined that it was a new Silverlight exploit and reported it to Microsoft.

Microsoft says in its advisory that it’s unaware of any attacks attempting to exploit the vulnerability. However, Kaspersky Lab's Costin Raiu told SecurityWeek that this is an inaccuracy which Microsoft plans on fixing.

It’s unclear if this flaw, which affects Silverlight versions prior to 5.1.41212.0, is the one that Toropov advertised in 2013.

“Several things make us think it’s one of [Toropov’s] exploits, such as the custom error strings. Of course, there is no way to be sure and there might be several Silverlight exploits out there. One thing is for sure though – the world is a bit safer with the discovery and patching of this one,” Kaspersky researchers wrote in a blog post.

*Updated with clarification from Costin Raiu that Microsoft's advisory is inaccurate